EdgeMax support?

Are there any plans to port to other chips other than x86? I have an EdgeMax router (a great little $99 router) that runs EdgeOS (a Debian port) on a MIPS64 architecture. I would love to be able to just run a simple command to switch my router over to routing through Vypr.

I know you already have some provided linux support (via a deb package) and mips support (via tomato routers), but it is hard to find what exactly you are doing with either without downloading both and tearing them apart.

That is an interesting router. You’re right; Right now VyprVPN for Linux supports Debian i386 and amd64, and VyprVPN Router supports MIPS, but that router isn’t supported by Tomato by Shibby. We aren’t ready to release future plans on either platforms yet, but we will look into how that router can fit into them.

Let me know if there is anything I can do to help.

@tolldog,

I love the EdgeMax Router! I have a completely unofficial set of documentation for configuring the EdgeMax Router to connect to VyprVPN over the OpenVPN protocol. I made it for a friend of mine who needed a solid device for his home network while he lives in a less hospitable area of the world.

The steps are a bit on the heavy side as you have to edit some files directly on the device (not terribly intrusive, but edits none-the-less). The instructions are also written against v1.5.0 of the firmware and I’ve not tested/updated them for v1.6.0. If there is interest I can dig them up, clean them up, and get some information posted here.

MikeDoug

@mikedoug - that would be awesome. I have messed around with the router now a little bit, so I feel fairly comfortable with the configuration and formatting. I just have issues getting it to actually route correctly after the vtun0 interface is established.

I would be glad to take the documentation and verify it for 1.6 and releases going forward, as well as clean it up if needed.

Thanks!

Here’s the unofficial documentation I have for the EdgeMax Router. Please let me know if you find any discrepancies and I’ll update this post. At the end is some random thoughts I had while preparing this today – I get a feeling that I left something out with respect to the outbound-interface on the NAT rule to make it work properly, and I give insight into that at the end of this document.

Thanks!
MikeDoug

(Unofficial) How to Configure OpenVPN on a Ubiquiti EdgeMax Router

NOTE: These instructions were created using v1.5.0 of the EdgeMax firmware. It has not been tested with any newer versions at this time. These instructions are shared to help the community, but are not currently maintained by Golden Frog at this time. Feedback and support from the community are always welcome!

The Ubiquiti command line interface is somewhat non-intuitive. Perform the following steps:

  • Log into the router.
  • Enter configuration mode:
  $ configure
  • Open the /config/config.boot file for editing and add the following sections:
interfaces {
    openvpn vtun0 {
        mode client
        openvpn-option "--verb 3"
        openvpn-option --comp-lzo
        openvpn-option "--auth-user-pass /config/auth/secret.txt"
        openvpn-option "--link-mtu 1542"
        remote-host us1.vpn.goldenfrog.com
        remote-port 1194
        tls {
            ca-cert-file /config/auth/ca.vyprvpn.com.crt
        }
    }
}
service {
    nat {
        rule 5000 {
            description NAT
            log disable
            /* eth0 is the Internet uplink port; change per your configuration */
            outbound-interface eth0  
            protocol all
            type masquerade
        }
    }
}

Note in the future we should provide the commands to enact those same changes instead of modifying the boot configuration file. It’d also be a good idea to copy config.boot to a backup file in case the file is damaged beyond repair.

  • Open the following file for editing: /opt/vyatta/share/perl5/Vyatta/OpenVPN/Config.pm, and comment out the following section shown by adding the “if(0) {” at the top and the “}” line at the bottom:
if(0) {               # Add this line
    return (undef, 'Must specify "tls cert-file"')
      if (!defined($self->{_tls_cert}));
    $hdrs = checkHeader("-----BEGIN CERTIFICATE-----", $self->{_tls_cert});
    return (undef, "Specified cert-file \"$self->{_tls_cert}\" is not valid")
      if ($hdrs != 0); 
    $cmd .= " --cert $self->{_tls_cert}";
                          
    return (undef, 'Must specify "tls key-file"')
      if (!defined($self->{_tls_key}));
    $hdrs = checkHeader("-----.* PRIVATE KEY-----", $self->{_tls_key});
    return (undef, "Specified key-file \"$self->{_tls_key}\" is not valid")
      if ($hdrs != 0);    
    $cmd .= " --key $self->{_tls_key}";
}                     # Add this line
  • Download the VyprVPN CA certificate to /config/auth/ca.vyprvpn.com.crt:
  $ cd /config/auth 
  $ curl -O https://www.goldenfrog.com/downloads/ca.vyprvpn.com.crt  
  • Create the /config/auth/secret.txt file with your username on the first line and your password on the second line:
    vi secret.txt
  • Load your changes to complete the process:
  $ load
  $ commit
  $ save
  $ exit

The OpenVPN Client interface will now be created, and the connection will automatically come up.

How to Change the OpenVPN Server

To change the OpenVPN server, complete the following steps:

  $ configure
  $ delete interfaces openvpn vtun0 remote-host
  $ set interfaces openvpn vtun0 remote-host us2.vpn.goldenfrog.com
  $ compare
  $ commit
  $ save
  $ exit

Other Notes

The VPN will be always on. You can turn the VPN on/off by enabling/disabling, respectively, the tun0 adapter from the EdgeMax GUI. A memory stirs that the NAT rule actually needs to read “outbound-interface tun0” when the VPN is up and “outbound-interface eth0” when the VPN is down. Something to watch.

This worked exactly as advertised. I think there are ways to put a lot of the config in an ovpn file and issue a single command line to create the vtun0 interface with openvpn reading the ovpn file.

I will copy my working config and work on getting that working. My only concern is why we have to comment out some of the tls code in the perl module. It appears that it has to do with how the tls config block is written, but I believe that if the ca cert line is in the .ovpn file, we can avoid the code modification.

In theory, all of this should be a simple shell script. I will look doing that this week.

@tolldog if you get it working in a more concise fashion, I welcome the updates to the instructions! That’d be a great win for the forum here in general.

Also, the reason you have to comment out the TLS section of the Perl code is because the Vyatta software on the device mandates that you use a TLS Key and Certificate for doing CLIENT authentication. We don’t currently support using certificates to authenticate you are who you say you are – we use username and password for that. If you don’t comment that section out, the software will not allow you to use OpenVPN in this manner.

I look forward to seeing your furthered work on this.

Thanks,
MikeDoug

You don’t need to hack up the perl file if you use a .ovpn config file:

root@ubnt:~# cd /config/auth
root@ubnt:/config/auth# cat sf.vyprvpn.ovpn 
client
dev tun
proto udp
remote us7.vyprvpn.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
persist-remote-ip
;ca ca.vyprvpn.com.crt
tls-remote us7.vyprvpn.com
auth-user-pass /config/auth/secret.txt
comp-lzo
verb 3

<ca>
-----BEGIN CERTIFICATE-----
MIIEpDCCA4ygAwIBAgIJANd2Uwt7SabsMA0GCSqGSIb3DQEBBQUAMIGSMQswCQYD
VQQGEwJLWTEUMBIGA1UECBMLR3JhbmRDYXltYW4xEzARBgNVBAcTCkdlb3JnZVRv
d24xFzAVBgNVBAoTDkdvbGRlbkZyb2ctSW5jMRowGAYDVQQDExFHb2xkZW5Gcm9n
LUluYyBDQTEjMCEGCSqGSIb3DQEJARYUYWRtaW5AZ29sZGVuZnJvZy5jb20wHhcN
MTAwNDA5MjExOTIxWhcNMjAwNDA2MjExOTIxWjCBkjELMAkGA1UEBhMCS1kxFDAS
BgNVBAgTC0dyYW5kQ2F5bWFuMRMwEQYDVQQHEwpHZW9yZ2VUb3duMRcwFQYDVQQK
Ew5Hb2xkZW5Gcm9nLUluYzEaMBgGA1UEAxMRR29sZGVuRnJvZy1JbmMgQ0ExIzAh
BgkqhkiG9w0BCQEWFGFkbWluQGdvbGRlbmZyb2cuY29tMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEA37JesfCwOj69el0AmqwXyiUJ2Bm+q0+eR9hYZEk7
pVoj5dF9RrKirZyCM/9zEvON5z4pZMYjhpzrq6eiLu3j1xV6lX73Hg0dcflweM5i
qxFAHCwEFIiMpPwOgLV399sfHCuda11boIPE4SRooxUPEju908AGg/i+egntvvR2
d7pnZl2SCJ1sxlbeAAkYjX6EXmIBFyJdmry1y05BtpdTgPmTlJ0cMj7DlU+2gehP
ss/q6YYRAhrKtlZwxeunc+RD04ieah+boYU0CBZinK2ERRuAjx3hbCE4b0S6eizr
QmSuGFNu6Ghx+E1xasyl1Tz/fHgHl3P93Jf0tFov7uuygQIDAQABo4H6MIH3MB0G
A1UdDgQWBBTh9HiMh5RnRVIt/ktXddiGkDkXBTCBxwYDVR0jBIG/MIG8gBTh9HiM
h5RnRVIt/ktXddiGkDkXBaGBmKSBlTCBkjELMAkGA1UEBhMCS1kxFDASBgNVBAgT
C0dyYW5kQ2F5bWFuMRMwEQYDVQQHEwpHZW9yZ2VUb3duMRcwFQYDVQQKEw5Hb2xk
ZW5Gcm9nLUluYzEaMBgGA1UEAxMRR29sZGVuRnJvZy1JbmMgQ0ExIzAhBgkqhkiG
9w0BCQEWFGFkbWluQGdvbGRlbmZyb2cuY29tggkA13ZTC3tJpuwwDAYDVR0TBAUw
AwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAwihrN0QNE19RRvGywBvsYDmzmM5G8ta5
8yB+02Mzbm0KuVxnPJaoVy4L4WocAnqLeKfmpYWUid1MPwDPtwtQ00U7QmRBRNLU
hS6Bth1wXtuDvkRoHgymSvg1+wonJNpv/VquNgwt7XbC9oOjVEd9lbUd+ttxzboI
8P1ci6+I861PylA0DOv9j5bbn1oE0hP8wDv3bTklEa612zzEVnnfgw+ErVnkrnk8
8fTiv6NZtHgUOllMq7ymlV7ut+BPp20rjBdOCNn2Q7dNCKIkI45qkwHtXjzFXIxz
Gq3tLVeC54g7XZIc7X0S9avgAE7h9SuRYmsSzvLTtiP1obMCHB5ebQ==
-----END CERTIFICATE-----
</ca>

The secret.txt is the same as you mention. Then go into config mode and add it

configure
set interfaces openvpn vtun0 config-file /config/auth/sf.vyprvpn.ovpn
commit
save
exit

Add a NAT rule to finish it off:

configure
set service nat rule 5000 type masquerade
set service nat rule 5000 outbound-interface vtun0
commit
save
exit

@stig,

That is a much better solution! We will have to try that out and see how well it works.

Thanks!
MikeDoug

I have been using a similar configuration since last Sept but had frequent VPN resets so I was especially glad to see someone else trying to use Edgemax and Vyprvpn. Since the offered .ovpn was slightly different I used it to see if the resets were resolved. Unfortunately not.

Jul 11 16:27:51 ubnt openvpn[1541]: [us7.vyprvpn.com] Inactivity timeout (–ping-restart), restarting
Jul 11 16:27:51 ubnt openvpn[1541]: SIGUSR1[soft,ping-restart] received, process restarting

When this happened there was a youtube video being streamed, I would think that it would have been activity but obviously not.

Any hints on how to avoid the resets, they are very disruptive?

Thanks

Found the reset problem, it was my network configuration. Here is my updated configuration that works with 1.7.

client
dev tun
proto udp
remote us7.vpn.goldenfrog.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
persist-remote-ip
ca /config/auth/ca.vyprvpn.com.crt
verify-x509-name us7.vyprvpn.com name
auth-user-pass /config/auth/pass.txt
comp-lzo
verb 3

Thanks

Well I was incorrect, still getting restarts.

Jul 13 11:27:29 ubnt openvpn[1549]: [us7.vyprvpn.com] Inactivity timeout (–ping-restart), restarting
Jul 13 11:27:29 ubnt openvpn[1549]: SIGUSR1[soft,ping-restart] received, process restarting
Jul 13 11:27:29 ubnt openvpn[1549]: Restart pause, 2 second(s)

This happening hourly, same minute of each hour.

Suggestions please.

Mike

Alright, again entirely my problem. I was using the Edgemax behind another router and had place the Edgemax in the DMZ. I thought all was well but have now found that the first router was blocking pings. After unblocking pings all is well.

Mike

With my network configuration issues solved and Vyprvpn, OpenVPN protocol, working great on my EdgeMax Lite router it is time to ask about how one might establish the Chameleon interface on the EdgeMax?
I’m making my annual two month visit to China and would like to insure there are no GFW issues.
I see that Chameleon is available on DD-WRT and Tomato routers so I’m hopeful.

Thanks,

Mike

Mike, I’m not familiar with Chameleon - is that a Vyprvpn proprietary protocol? If it’s open source I could compile it for mips64 and see if it works. Perhaps we could make a debian package so that it’s easy to install on EdgeMax.

stig

EdgeMax Router Development

Stig, thanks but Chameleon is a GoldenFrog proprietary protocol. Their description: "Chameleon uses the unmodified OpenVPN 256-bit protocol and scrambles the metadata to ensure it’s not recognizable via deep packet inspection (DPI). "

Mike

Mike, thanks for the clarification. Ideally we’d come up with an easier way to my Vyprvpn ipsec work with EdgeMax since that has higher performance than openvpn. I have gotten ipsec to work with VyprVPN, but it’s a tricky.

stig

Improved performance is always a goal but for now I’m happy with the connectivity. The real test will be in September when I’m back in China, between the GFW and a less than rock solid internet service it is challenging. My home in China is not in a major tech or foreign business location where solid ISP’s exist.

Mike

Very thankful for this forum post. I’m using VyOS 1.1.5 and with EdgeMax being based off the same core code, I was able to get a working solution with the original method described by @mikedoug

I was hoping to be able to use the config-file method posted by @stig as it was far cleaner and didn’t require me to tinker with system files that will likely be overwritten whenever the software is updated. Alas VyOS doesn’t support that particular switch.

Thanks again.